Bypass Windows 10 User Group Policy (and more) with this One Weird Trick

  • Thread starter ForgottenSeer 85179
  • Start date
F

ForgottenSeer 85179

I‘m going to share an (ab)use of a Windows feature which can result in bypassing User Group Policy (as well as a few other interesting things). Bypassing User Group Policy is not the end of the world, but it’s also not something that should be allowed and depending on User Group Policy setup, could result in unfortunate security scenarios. This technique has been tested against Windows 7 and Windows 10 Enterprise x64 (10.18363 1909) and does not require admin access. Leveraging this trick has to do with how the user account registry is loaded upon login, so let’s start this off by understanding a bit about what happens when a user logs into a Windows account.

A lot of text which I don't copy here.
But it's very interesting - even for non technical guys
 

plat1098

Level 25
Verified
Sep 13, 2018
1,461
The author reached out to Microsoft and it was declined to investigate further, stating this is "expected" behavior. How....expected. :rolleyes:

How many Enterprises rely and depend on group policy? Honk if you want Microsoft to reverse its decision. 🚙 🔊
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,166
The User Group Policies are not as strong as the Computer (system-wide) Group Policies. Anything that relies on Windows Registry HKCU Hive can be probably bypassed with standard rights. The User Group Policies are intended to restrict users, but not malware.:) (y)
 

TairikuOkami

Level 31
Verified
Content Creator
May 13, 2017
2,046
This means if we set an explicit entry to “DENY” SYSTEM writable permissions, then it will effectively block “SYSTEM” from obtaining writable permissions since our “DENY” rule will take precedence over the “ALLOW” rule that it tries to add.
Permissions are great to play with, like when you deny Everyone to write on USB's root, preventing autorun malware.
I blocked several ransomware from modifying files by simply blocking SYSTEM. :LOL:
Code:
takeown /f E: /a /r /d y
icacls E: /remove "Authenticated Users" "Users" "System" /grant "Users":(OI)(CI)RX /t /l /q /c
icacls E: /deny "System":(OI)(CI)F /t /l /q /c
 
F

ForgottenSeer 85179

preventing autorun malware.
Microsoft fix that a long time ago ;)

I blocked several ransomware from modifying files by simply blocking SYSTEM. :LOL:
Code:
takeown /f E: /a /r /d y
icacls E: /remove "Authenticated Users" "Users" "System" /grant "Users":(OI)(CI)RX /t /l /q /c
icacls E: /deny "System":(OI)(CI)F /t /l /q /c
So what you do if the USB drive use another letter then E: ?
Doesn't sounds like a good solution for me. Sorry :p
 

koloveli

Level 4
Sep 13, 2012
166
in this and other aspects windows are still vulnerable;
trojans since windows xp use system applications (dllhost, svchost, bypass firewall, bypass user control ...) to go unnoticed by the system
 
  • Like
Reactions: Captain Awesome

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,166
in this and other aspects windows are still vulnerable;
trojans since windows xp use system applications (dllhost, svchost, bypass firewall, bypass user control ...) to go unnoticed by the system
The non-vulnerable OS will be probably unusable.
User Group Policies can significantly reduce the danger of such infections via users' actions.
For example, if the user applies the policy to block macros in MS Office, then most of the weaponized documents cannot use system applications to infect the system.
 
F

ForgottenSeer 823865

It is not difficult to create a very safe OS, it will just requires a powerful machine.
See Qubes OS principle, every apps run in its own mini-VM.

An OS isn't supposed to be safe, it is supposed to be usable for the most users possible.
With time, and because of the growing cybercriminal activities, it has to be safe.

LOLbins aren't really an issue, they are just processes that can easily be blocked via Windows own tools or 3rd part ones.
Even the crucial ones can be mitigated to some extent.

The real issue is the users who aren't educated to distinguish and face threats, and by their unsafe behavior provoke their own demise and contribute involuntarily to the growing of criminal activity. Ransomware are the perfect example.

And add on top kernel vulnerabilities that can't be mitigate by security tools but by the OS vendors. And we have the situation we are now.
 
Last edited by a moderator:
F

ForgottenSeer 85911

It is not difficult to create a very safe OS, it will just requires a powerful machine.
See Qubes OS principle, every apps run in its own mini-VM.

An OS isn't supposed to be safe, it is supposed to be usable for the most users possible.
With time, and because of the growing cybercriminal activities, it has to be safe.

LOLbins aren't really an issue, they are just processes that can easily be blocked via Windows own tools or 3rd part ones.
Even the crucial ones can be mitigated to some extent.

The real issue is the users who aren't educated to distinguish and face threats, and by their unsafe behavior provoke their own demise and contribute involuntarily to the growing of criminal activity. Ransomware are the perfect example.

And add on top kernel vulnerabilities that can't be mitigate by security tools but by the OS vendors. And we have the situation we are now.

the current world IT system is so broken no solution is possible
the future is private individuals paying for insurances against losses due to cybercrime like lifelock
20 years from now people everybody will buy such insurance
 

koloveli

Level 4
Sep 13, 2012
166
The non-vulnerable OS will be probably unusable.
User Group Policies can significantly reduce the danger of such infections via users' actions.
For example, if the user applies the policy to block macros in MS Office, then most of the weaponized documents cannot use system applications to infect the system.
block application in firewall and try acess remote, exploring the blocked app and see what happens. This also applies to installing and running advanced malware (bypass windows defender policy block)
 
Top